Major identity thieves obtain personal information from retailers, financial companies and other businesses about half the time, a new study suggests, undercutting a common perception that potential victims should worry most about being scammed by people they know.
The federally funded study being released today paints a complex portrait of the signature crime of the digital age, one that has been the top consumer-fraud complaint to federal authorities for six consecutive years.
Of more than 500 offenders arrested by the U.S. Secret Service between 2000 and 2006, 8 percent were related to or socially acquainted with victims whose sensitive data were used to write checks, take out loans or buy cars.
"The role of strangers -- that's different than what's been reported until now," said lead scientist Gary Gordon, of the year-old Center for Identity Management and Information Protection at Utica College in New York, which produced the report.
Previous analyses mainly were based on surveys of victims who knew how someone ended up pretending to be them. They often pointed to acquaintances. Federal Trade Commission officials have faulted such figures, saying most victims of online thefts and compromised businesses are unlikely to learn how their information was pried loose.
The best-known of the past studies have been publicized by the for-profit firm Javelin Strategy & Research, which has taken funding from Visa USA, Wells Fargo & Co. and others that benefit from electronic transactions.
In April, for example, the Pleasanton, Calif., company said consumer fears about data break-ins were overblown because "breaches only account for 3 percent of all known-cause ID fraud." Javelin has said that half of known offenders are family or friends, and this year it said that 40 percent of ID theft cases stem from lost or stolen wallets, credit cards and checks.
But the Utica College research shows that "non-technological means" such as mail theft and rooting about in trash bins were used in about 20 percent of the ID theft crimes solved by the Secret Service. That's the same proportion driven by Internet scams such as e-mail hustles and computer hacking.
The most common tool for identity theft was a range of technology devices, a broad category that includes credit card encoders, computer printers and telephones. Devices were used 37 percent of the time.
The new study is based on cases closed by the Secret Service, which has become the lead federal agency in criminal identity theft by dint of its role protecting U.S. financial systems.
Javelin founder James Van Dyke said Saturday he didn't see a conflict with his company's results because the Secret Service typically takes high-dollar cases. Those would be more likely to involve businesses, strangers and technology than Javelin's broad base of victims reached through telephone polling, Van Dyke said.
The average loss in the Utica College database was $31,000, while a Gartner Inc. survey of consumer victims this year found an average loss of about $3,300.
Gordon did caution against generalizing from the statistics because his study looked only at cases that were solved by the Secret Service -- a tiny share of the more than 15 million annual instances estimated by Gartner. Other prosecutions are handled by local or state police.
The exclusion of unsolved cases could skew the findings. In particular, crimes in which the trails lead overseas are much harder to pursue, government experts said. They might include a higher proportion of Internet-assisted attacks.
Among the other findings by Gordon's team: When businesses were targeted, 40 percent of the time it was by employees of the companies. In the employee cases, 60 percent worked in retail and 22 percent in financial services. Gordon said the effects of new security measures for businesses should be studied.
Criminals had one or more accomplices 42 percent of the time, and the more people involved, the higher the average losses.
Joseph Menn writes for the Los Angeles Times.